diff --git a/zddc/Containerfile b/zddc/Containerfile
index 5c519f0..3539b2c 100644
--- a/zddc/Containerfile
+++ b/zddc/Containerfile
@@ -63,9 +63,14 @@ LABEL org.opencontainers.image.title="zddc-server" \
       org.opencontainers.image.vendor="VARASYS"
 
 # wget is in the base image (busybox); explicitly install ca-certificates
-# so outbound HTTPS (e.g. an upstream auth check) works if the operator
-# adds anything later. Keep the install footprint minimal.
-RUN apk add --no-cache ca-certificates && rm -rf /var/cache/apk/*
+# (outbound HTTPS for any future upstream auth check) and tini (PID-1
+# orphan reaper + signal forwarder). zddc-server itself only spawns
+# subprocesses transitively — e.g. once a future render path shells out
+# to pandoc, which in turn shells out to xelatex / lua filters / dot —
+# and any of those grandchildren orphaned by a mid-run crash get
+# reparented to PID 1. Without an init that knows to wait(2) on them,
+# they accumulate as zombies. tini is ~24KB and does exactly this.
+RUN apk add --no-cache ca-certificates tini && rm -rf /var/cache/apk/*
 
 # Non-root user. UID/GID are deliberately fixed so volume permissions are
 # predictable across hosts.
@@ -99,4 +104,4 @@ EXPOSE 8443
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
   CMD wget --no-check-certificate -q --spider https://localhost:8443/ || exit 1
 
-ENTRYPOINT ["/usr/local/bin/zddc-server"]
+ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/zddc-server"]